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Full POC kext loader (KAMIKAZE) with example "kext" is in the el_task_for_pid" branch. Should be able to check it out 

DOCUMENT INFO 

through repo: 

TAGS 

repo init -u .../ios_manifest.git -b el_task_for_pid 


1 have one module (CLOUD) currently which register a Mac Policy, simply an example to see it working, but also 
performs a task_for_pid in the kernel to bypass entitlements. It will enable two way comms to/from userspace/kernel and 
supports arbitrary parameters. Never got a chance to test binding on 64-bit so might be broken. My main reason behind 
doing this was to prevent having to pass/inherit the kernel task port between process. Simply need to pass an arbitrary 

RELATED 

mach port between your injected processes. 1 was planning on putting some authentication in at the kernel level to try 
and verify who the requests come from but never had time to investigate. May not be worthwhile. 

COMMENTS 

I've tried to create a mini framework which will enable me to quickly create new 'kexts' with the common kmod base. Feel 
free to experiment and give me a shout if you can't get it work 

HISTORY 

Associated Ghidra scripts in symdra, el.py in elsym attempt to find the functions required to perform kext loading and 
bootstrapping. These will need more work to make them a bit more reliable. 1 had to make small changes between iOS 8 
& 9. Elsym requires quite a lot of offsets from the thread structure. They're all around the same place so in reality you 
only have to find one to get the rest. Probably doable in Ghidra with a bit of work. Only envisage ever using this in a 
persistent case for now. 
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SHADOWMAP 


Also in the same branch is all the code required to do 'shadow mapping'. I've included a new elutil (el_shadowmap) 
which will map in the 1st page of the kernel headers. Set of functions available to map other user space process/all of the 
kernel. 


It enables arbitrary kernel patching (both TEXT & DATA) however the patch guard will kill you on 9 if you modify 

TEXT. There is a section marked EXPERIMENTAL where 1 tried to remap some kernel pages for 9. It did work, 

probably doesn't anymore as 1 changed it. Will need a little bit of work to enable it properly with a well-defined API. 


SHELLCODE 


Shadowmap module also provides the ability to allocate shellcode in the kernel. Fairly straightforward process which 
involves vm_allocating memory in the kernel (new el_allocate/el_deallocate/eLprotect functions in el), modifying the 
kernel page tables to turn off the NX bit, then mapping the new allocation into the current user space process. This 
allows the user space process to access the new allocation directly and operate directly on the memory. It's a 
fundamental aspect of the kext loading functionality of kamikaze 



